The OpenVPN is an open multiplatform VPN solution, which allowing variety of configuration. The standard use-case is client2network setup, allowing the remote client to “dial-in” into network. Other scenario is site2site configuration, allowing seamless communication of each network device across both sites.

Description of my environment

I have two Asus RT-AC66U_B1 running Asuswrt-Merlin firmware version 384.9 with following network configuration:

Prerequisites

Setup site2site

The setup consists of two steps:

Setup standard client2network connection

Configure server side router

  1. Log on to the server side router (192.168.22.1)
  2. Select VPN from the left-hand menu and click on VPN Server tab and click on OpenVPN switch

    You can setup two VPN server configuration. We will now setup the Server 1 configuration
  3. Flip Enable OpenVPN Server switch to ON position (will change to green)
    You are now in General settings section.
  4. Tick the LAN only radio button
  5. Add some user/password in the table below by entering username and password into text fields and click on the plus button
  6. Then hit Apply, this will take some time
  7. Select Advanced Settings option in VPN Details dropdown box
  8. Set following parameters to:
  9. At Manage Client-Specific Options select Yes – you will get additional input fields
  10. Select Yes at the Allow Client <-> Client option
  11. In the Custom Configuration enter following recommended parameter
    reneg-sec 432000
  12. Hit the Apply button – will take some time.
    If everything is fine (no fatalities), you should get the General VPN Details page and the Enable OpenVPN Server should be in ON position and green.

  13. Now, you have some new buttons available, hit the first Export button (Export OpenVPN configuration file) – one file named “client1.ovpn” will be downloaded

  14. Open the file in text editor and check the first lines: for tun, tcp-client options and the correct DDNS name of the server-side router
    client
    dev tun
    proto tcp-client
    remote myprimarysite.asuscomm.com 1194

Configure client side router

  1. Log on to the client-side router (192.168.33.1)
  2. Select VPN from the left-hand menu and click on VPN Client tab and click on OpenVPN switch
  3. Click on Choose File button on Import .ovpn file option, select the previously downloaded “client1.ovpn” file and hit Upload
  4. Set Automatic start at boot time to Yes
  5. Check the lines Interface Type, Protocol and Sever Address for correct values
  6. Ensure the Username/Password Authentication is Yes
  7. Enter the username and password set on the server-side router
  8. Scroll down to Advanced Settings
  9. Check that Verify Server certificate is set to No
  10. The directives in Custom Configuration are imported from “client1.ovpn” file – don’t touch them
  11. Hit Apply button – takes again some time
  12. Flip the Service state switch to ON If anything is fine (no fatalities), the Service state switch should be green with yellow Connected message

At this moment any network device should be able to ping/connect to any network device on the server-side network.
The basic setup for client2network setup or “dial-in” setup if finished, let’s go one step beyond and configure the “return direction”
Modify the connection to site2site setup
Configure server side router
Log on to the server-side router (192.168.22.1)
Select Administration from the left-hand menu and click on System tab
Enable the SSH access as shown:

Check the JFFS2 section

If the config is like shown, no action is needed, otherwise set both parameters to Yes and reboot the server
Use some SSH client (like puTTy – can be downloaded here: https://www.chiark.greenend.org.uk/~sgtatham/putty/) and log in into router
Run following commands to create directory for OpenVPN client specific configuration
(please note: the “ccd1” folder is for Server1 and if you want to use Server2, you need directory “ccd2”)
root@RT-AC66U_B1-5668:/temp/home/root# cd /jffs/configs
root@RT-AC66U_B1-5668:/jffs/configs#
root@RT-AC66U_B1-5668:/jffs/configs# mkdir openvpn
root@RT-AC66U_B1-5668:/jffs/configs# cd openvpn
root@RT-AC66U_B1-5668:/jffs/configs/openvpn# mkdir ccd1
root@RT-AC66U_B1-5668:/jffs/configs/openvpn# cd ccd1
root@RT-AC66U_B1-5668:/jffs/configs/openvpn/ccd1#
Using vi create file called as the entered username, in this case “Remote1”
root@RT-AC66U_B1-5668:/jffs/configs/openvpn/ccd1# vi Remote1
And enter following line, which tells the server-side router that some network exists:
iroute 192.168.33.0 255.255.255.0
Save the file (enter “:wq” command)
Close puTTy and log into router’s web interface
Select VPN from the left-hand menu and click on VPN Server tab
Go to Advanced Settings
Change the content of Custom Configuration to following:
reneg-sec 432000
username-as-common-name
push "route 192.168.22.0 255.255.255.0"
client-config-dir /jffs/configs/openvpn/ccd1/
route 192.168.33.0 255.255.255.0
Hit the Apply button – will take some time
Configure client side router
Log on to the client-side router (192.168.33.1)
Select VPN from the left-hand menu and click on VPN Client tab
In section Network Settings set the parameter Create NAT on tunnel to No
*UPDATE* set the new parameter Inbound Firewall to Allow
Hit the Apply button – will take some time
Final words
After reconnecting the tunnel the communication should be possible in both directions

Disclaimer
This how-to is based on following article: https://openvpn.net/community-resources/how-to/#scope and adopted by me for my two Asus routers running Asuswrt-Merlin firmware.

(c)2019 by zolo